Control Global

Greg McMillan and Stan Weiner Speak with Electrochemical Measurements Expert Jim Gray About the pH Electrode and Its Full Potential as a Measuring Tool

Stan: A measurement is only as good as its calibration. The pH electrode has by far the greatest sensitivity and rangeability of any measurement in the process industry. The electrode can function well in a wide spectrum of process fluids and…

This State of Technology Report is a compendium of the latest trends articles, back-to-basics tutorials, application stories and product solutions recently published in the pages of Control—compiled by the editors and all together here in one convenient eBook.

Despite ongoing advances in instrumentation technology, specifying a flowmeter or level gauge that will reliably perform over the anticipated range of process conditions often remains a complex and subtle engineering task.
Dozens of niche…

Process plants and related facilities such as tank farms are filled with vessels, tanks and similar storage units, and most of these units could benefit from a system to measure, monitor and view inventory on a near real-time basis. "Logistical…

Additional information and wireless connectivity are further improving productivity, reliability and efficiency.

Like other facilities that have been using the HART Communication Protocol for any amount of time, previous recipients of the HART Plant of the Year Award have been busy reaping even more of the benefits the technology provides. These benefits…

BLH Nobel Introduced a System That Quickly and Easily Checks Weighing Systems for Wiring and Mechanical Faults

Load cell weighing systems solve some of the knottiest problems in batch and level control by directly measuring masses of solids and liquids as they're accumulated, dispensed or conveyed. But the load cells must be installed and wired properly, and the load structure must be engineered and constructed correctly to distribute the measured load as axial forces on the cells. What appear on the surface to be simple wiring and construction tasks have caused more than a few problems during commissioning and maintenance due to miswired or poorly made connections, distorted or binding structures, incorrectly installed load cells or rigid connections to adjacent equipment.
Such problems often are not found until a new installation is being…

Recent

Greg McMillan and Stan Weiner Speak with Electrochemical Measurements Expert Jim Gray About the pH Electrode and Its Full Potential as a Measuring Tool

Stan: A measurement is only as good as its calibration. The pH electrode has by far the greatest sensitivity and rangeability of any measurement in the process industry. The electrode can function well in a wide spectrum of process fluids and…

This month, the editors of Control browse the web to get you the latest online resources on loop control. Here's how you can stay in the loop!

This System Is Closed
This is a basic tutorial on closed-loop control systems. It covers the basic definitions and descriptions of how closed-loop systems work, a discussion of closed-loop summing points and how to use them, transfer functions, multi-loop closed-loop systems and closed-loop motor control. The direct link is www.electronics-tutorials.ws/systems/closed-loop-system.html.Electronics Tutorials www.electronics-tutorials.ws
PID Control
VeriCal in-situ calibration verification This is a basic discussion, with illustrations, of the principles of Proportional, Integral, Derivative (PID) and how it is used with controllers. It also covers tuning rules and starting settingf for common control loops. The direct link is at…

Through the looking glass of emerging technologies.

How might we expect emerging technologies to play out in the world of process control? Successfully predicting the future is difficult at best, so we sought out and consulted with industry visionaries and long-term planners to see where there is…

A Frost & Sullivan report, "Programmable Logic Controllers Market," finds that the market earned revenues of $10.37 billion in 2013 and estimates this will reach $14.58 billion in 2018.

According to analyst firm Frost & Sullivan, the global PLC market, which witnessed a strong decline in growth in 2012 due to the uncertain economic scenario in the developed world, has bounced back. Since 2013, it has witnessed positive growth, particularly in the Asia-Pacific region, where the rebound has been fueled by increased activity, especially in the construction, water and wastewater and power industries.
A Frost & Sullivan report, "Programmable Logic Controllers Market," finds that the market earned revenues of $10.37 billion in 2013 and estimates this will reach $14.58 billion in 2018.
In Europe, the need to enhance efficiency and comply with regulations, as well as improve safety and control capabilities, are driving…

Through the looking glass of emerging technologies.

How might we expect emerging technologies to play out in the world of process control? Successfully predicting the future is difficult at best, so we sought out and consulted with industry visionaries and long-term planners to see where there is…

Control Engineering Branches Out to Manage Critical Business Variables Such as Profitability, Risk, Asset Management and Cybersecurity

Most process engineers I talk to look back on the 1970s and 1980s as the heyday of control engineering, and in many ways it was. More engineers were focused on the applications of real-time control theory then than now. And when you look at how far…

The Latest in Computing Technology Is Here

VERSATILE AUTOMATION COMPUTERS These four new computers are designed for the challenging requirements of the machine automation industries. UNO-3073 and UNO-3073GL have Intel Celeron 1.1- MHz and 1.0-MHz processors; UNO-3083G and UNO-3085G have Intel Core i7 2.2- MHz processors. They have up to five PCI/PCIe expansion slots and support high-speed PCIe x16, x8, x4 and x1 cards and legacy PCI cards. Advantech Industrial Automation Group 800-205-7940www.advantech.com/ea
GAME-CHANGING PACs PACSystems RXi, a new control and computing platform, is designed for the needs of the industrial Internet. The core of the product family is a COM Express architecture with multi-core CPUs. Its configurations are unique in the industry, and able to…

Smart Drives, Mechatronics, Variable-Speed Drives and More Power Options

MEDIUM-VOLTAGE AC DRIVE MV1000 medium-voltage ac drives combine compact modular design, high efficiency and a good MTBF rate. Smart Harmonics technology reduces input total harmonic distortion to less than 2.5% without filters, which exceeds the requirements of IEEE519-1992. It also provides galvanic isolation between power input and output, and uses two 5-V step bridges per phase to generate a 17-level, line-to-line voltage output delivered to the motor. Yaskawa800-927-5292
VSD WITH SMARTSAltivar Process is a range of VSDs from 1 hp to 1,500 hp that come with embedded process knowledge, configurable on-board dashboards and a graphical HMI display. An advanced, secure, integrated web server lets operators access technical…

Since the goal is to control loop stability, the choice that gives you the best chance of that is the one to make.

Question:
Is there some general rule on when we should use =% (equal percentage) and when linear control valves? I know that the determining factor is the inherent flow characteristic, the flow vs. lift at constant pressure drop, or something like…

After six decades of developing on/off valve automation solutions, it might seem logical for Emerson Process Management to pause and take a well-deserved breather. But anyone who thinks that doesn't know how this company works. Just like the…

Smart Drives, Mechatronics, Variable-Speed Drives and More Power Options

MEDIUM-VOLTAGE AC DRIVE MV1000 medium-voltage ac drives combine compact modular design, high efficiency and a good MTBF rate. Smart Harmonics technology reduces input total harmonic distortion to less than 2.5% without filters, which exceeds the requirements of IEEE519-1992. It also provides galvanic isolation between power input and output, and uses two 5-V step bridges per phase to generate a 17-level, line-to-line voltage output delivered to the motor. Yaskawa800-927-5292
VSD WITH SMARTSAltivar Process is a range of VSDs from 1 hp to 1,500 hp that come with embedded process knowledge, configurable on-board dashboards and a graphical HMI display. An advanced, secure, integrated web server lets operators access technical…

Through the looking glass of emerging technologies.

How might we expect emerging technologies to play out in the world of process control? Successfully predicting the future is difficult at best, so we sought out and consulted with industry visionaries and long-term planners to see where there is…

Through the looking glass of emerging technologies.

How might we expect emerging technologies to play out in the world of process control? Successfully predicting the future is difficult at best, so we sought out and consulted with industry visionaries and long-term planners to see where there is…

Local automation pros can learn about key industry developments, gain development hours and upgrade their outdoor skills

Automation professionals in the Los Angeles area will be able to update their professional knowledge, explore key automation trends, receive professional development hours, meet leading industry experts—and improve their outdoor skills—when Siemens brings its Process Automation Tour to Bass Pro Shops in Rancho Cucamonga, Calif., on March 26, 2015.
Session topics will include:
Industrial security for process automation, including a review of the standards (IEC 62443), organizations (NIST) and proper implementations of those standards
Alarm management, with a focus on meeting ISA-18.2, condition monitoring of critical assets and improving operator effectiveness
Process safety management update, including how to keep your system compliant…

The GX and GP Products Are the First of a New SmartDAC+ Product Family

Yokogawa has released the GX and GP Series of digital data acquisition systems, products that go far beyond functionality of the original paperless recorder. Complementing Yokogawa's DXA Advanced R4 series, the GX and GP bring some features that are…

Recent

Because Big Data is Really More of the Same Data, Engineers and Other End Users Find Ways to Take Advantage of New Sources of Intelligence

I'm sorry to be a downer at the start of a shiny New Year, but I'm continually reminded that most new and unfamiliar technical concepts are just more of the same old concepts. Big data is really more of the same data. The Internet of Things (IoT)…

Reader says "NERC CIP does not make the grid more secure or reliable."

In response to Joe Weiss' blog post of Jan. 19, I totally disagree about NERC CIP not making the grid more secure or reliable. Just a few reasons. I have seen where control systems were operated without malware and ultimately became infected. At…

Diagnosing a signaled instrument failure is tricky, time-consuming and usually is called for at a most inconvenient time, but better diagnostics are making the task easier.

Physical Layer Diagnostic Improvements
Why is it, after weeks of seemingly trouble-free plant operation, the phone rings on the holiday weekend when the goose is in the oven and the table is set for dinner? Fortunately for me, the crew on shift was…

A badly designed network is often the weakest link in the system.

IoT's Weakest Link
A common conversation among many industrial networking specialists these days revolves around whether we should be distinguishing between wired and wireless networks. WINA, of which I am chairman, is one organization taking a…

We are destined to have a multiplicity of protocols in our facilities.

Regarding, John Rezabek's February On the Bus column: I think we are destined to have a multiplicity of protocols in our facilities. Actuators and sensors will be at the level of the not-Internet of Things; Ethernet makes no sense there. But…

This white paper is the first in a series to outline a new epoch of industrial automation. All aspects of control system reliability, security and lifecycle cost have been rethought from first principles.

Open Secure Automation™ from Bedrock delivers new levels of ICS reliability, embedded security and unified automation performance at much lower life cycle costs. The mission starts with reinventing the backplane. Bedrock's Backplane Module Interconnect (BMI) is designed with an advanced architecture, industrial grade materials and passive fail-safe principles. With a new foundation, automation can be rebuilt. There is no other way.
This white paper is the first in a series to outline a new epoch of industrial automation. All aspects of control system reliability, security and lifecycle cost have been rethought from first principles.
Download the white paper titled "Revolution" and learn more.

Mobility's True Value Lies in Enabling New Possibilities

Rockwell Automation takes seriously the needs of its users to access information when on the go. For years now, they've offered the ability to send text or email notifications to mobile devices or replicate in-plant or desktop user interfaces on…

Reader says "NERC CIP does not make the grid more secure or reliable."

In response to Joe Weiss' blog post of Jan. 19, I totally disagree about NERC CIP not making the grid more secure or reliable. Just a few reasons. I have seen where control systems were operated without malware and ultimately became infected. At…

As project details take shape, look to collaborative platforms and decoupled hardware and software development paths to speed execution efforts

As early project visioning shifts into more detailed engineering, it's time to take a much closer look at how the latest automation technology and project execution methodologies can be brought to bear for project success. Key automation…

Local automation pros can learn about key industry developments, gain development hours and upgrade their outdoor skills

Automation professionals in the Los Angeles area will be able to update their professional knowledge, explore key automation trends, receive professional development hours, meet leading industry experts—and improve their outdoor skills—when Siemens brings its Process Automation Tour to Bass Pro Shops in Rancho Cucamonga, Calif., on March 26, 2015.
Session topics will include:
Industrial security for process automation, including a review of the standards (IEC 62443), organizations (NIST) and proper implementations of those standards
Alarm management, with a focus on meeting ISA-18.2, condition monitoring of critical assets and improving operator effectiveness
Process safety management update, including how to keep your system compliant…

Coca-Cola and GE Lighting Use Proficy Workflow, Historian, iFix HMI SCADA and Portal Software to Streamline Lighting and Refreshment Production

Seeing is believing, and bringing operational information into the light makes it usable by everyone in an enterprise—allowing them all to make faster, more productive decisions.
This enhanced awareness was especially useful at GE Lighting,…

As project details take shape, look to collaborative platforms and decoupled hardware and software development paths to speed execution efforts

As early project visioning shifts into more detailed engineering, it's time to take a much closer look at how the latest automation technology and project execution methodologies can be brought to bear for project success. Key automation…

Find out what certification ABB Canada received and what B&B ELectronics' new name is.

ABB's operations in Canada have been certified by TÜV SÜD as having in place and applying a functional safety management system (FSMS) for the design and engineering of safety instrumented system (SIS) projects in accordance with industry good practice safety standards. These standards include IEC 61508 and IEC 61511 for the integration and implementation of safety instrumented systems. Networking technology provider B&B Electronics has changed its name to B+B SmartWorx. While continuing to develop mission-critical network connectivity technology for remote or demanding environments, B+B SmartWorx is expanding into the emerging Internet of Things market and embedding intelligence throughout the network connectivity stack from edge…

The Department of Homeland Security wants to help you prevent, respond to and recover from cyber attacks.

As we go to press, the U.S. Congress is threatening to suspend funding for the Department of Homeland Security (DHS). Some members are even calling for its dissolution. But assuming it's still around when you read this, you might consider enlisting…

What do 9/11, the Detroit Bomber and ICS Security Have in Common?

By Walt Boyes, Editor in Chief
In his "Unfettered" blog post, "What do 9/11, the Detroit Bomber and ICS Security Have in Common," Joe Weiss makes a really good point: The result of all governments' responses to the Dec. 25 incident on the approach…

Recent

Will Electronic Marshalling Mean the End of the "Bespoke" Enclosure?

Unlike clothing fashions, enclosure styles don't change a lot from year to year. A 40-year-old enclosure doesn't stand out like your dad's leisure suit. After all, a big metal box is pretty much a big metal box, even with the added glitz of…

Can Process Control Prevent Oil Well Blowouts?

Oil Drilling Accident in the Gulf of Mexico: What caused it? Could We Have Prevented the Blowout with Properly Designed Process Control Systems?

"Ask the Experts" is moderated by Béla Lipták, process control consultant and editor of the Instrument Engineer's Handbook (IEH). The 4th edition of Volume 3, Process Software and Networks, is in progress. If you are qualified to contribute to this volume, or if you are qualified to answer questions in this column or want to ask a question, write to liptakbela@aol.com.

Q: I've received a number of questions about the oil drilling accident in the Gulf of Mexico: What caused it? If properly designed process control systems were used, could the blowout have been prevented? What contributions could process control have made to stop the flow after the blowout?

A: To answer these questions, we must understand the drilling process, the causes of the BP accident and the kinds of automatic controls necessary for both the normal and the emergency drilling operation.

Drilling a test well on land is as simple as digging a hole. Drilling deep under the sea increases both the risks and the costs because of the high pressures and hostile environment at the ocean bottom. As the depth increases, the weight of the connecting piping between the sea floor and the platform above also increases. To reduce this weight and the associated cost, the pipe thicknesses had to be reduced, which could only be achieved if some of the drilling equipment was lowered down to the ocean floor where the pressure is high (2200 PSI in case of BP), the temperature is near freezing, and the environment is corrosive. Furthermore, the lowered equipment is inaccessible and has to be operated by remote-operated vehicles (ROV) or subsea robots.

Under these conditions, state-of-the-art technology, including automatic safety controls, trips and redundant equipment, should have been used, potentially making the drilling of deep sea wells uneconomical and in some cases consuming more energy than the wells produced. The industry and its regulator, the Mineral Management Service, in the absence of standards requiring such controls, concentrated on cutting costs.

The Drilling Process

A simplified sketch of the drilling process is shown in Figure 1. At BP installation, the well was 18,300 feet deep (36 in. diameter at the top; about 10 in. at the bottom) and included a number of casings, conduits, seals, spacers, snubbers and burst disks that are not shown. The casings are inserted into the well bore at various depths and held in place by cement slurry injected between them and the well bore. They should protect against cave-ins, provide a foundation for the drilling fluid (mud) and seal off high-pressure zones.

Figure 1: Simplified view of the drilling process and automatic controls that should have been provided (red ).

During drilling, mud is circulated down the drill pipe and up through the annulus between the well bore and the drill pipe. The mud carries the rock fragments produced by the drilling. This circulating mud also serves to prevent the oil and gas in the deposits from entering the well, because the pressure of the mud inside the well bore is higher than that of the oil outside. If for any reason this pressure difference (ΔP = PMUD – POIL) starts dropping, the mud pressure has to be increased to keep this ΔP positive. Otherwise the oil or gas will enter the well bore.

Once the oil pressure exceeds the mud pressure, it can lift the fluid in the well, and a blowout can occur. In case of the BP installation, four shut-off devices—placed one on top of the other—were provided in the blowout preventer (BOP) in Figure 1. These are shut-off valves that close the well in case of evolving blowout conditions. The first three are pipe rams that close only the annulus. The last one, the shear ram, also cuts the drill pipe and completely closes the well bore.

Causes of the BP Accident

Now we must understand the reasons why the pressure outside the well can suddenly rise and how gas "kicks" can develop. The cause is methane hydrate or methane ice (MI). The MI crystal is a solid similar to ice, except that it traps large amounts of methane within its crystal structure. The extreme cold and crushing pressure (2200 PSI at 5000 feet at the ocean bottom and about 8000 PSI in the oil deposits at 15,000 feet) keeps this crystal in the solid state. If conditions drop below the point of phase transition (PhT), because the pressure drops or the temperature rises, PhT is triggered, and the MI vaporizes. Each cubic foot of MI crystals explodes into 164 cubic feet of gas. Therefore, it is wise to avoid drilling through MI deposits and, if it is done accidentally, to keep the pressure inside the well above and the temperature below the PhT point.

The phase change can also occur in the reverse direction. If methane gas is exposed to water under such conditions that exceed the PhT point, the gas and the water will "freeze" into MI crystals that will plug the piping and other equipment. This can occur if the mud pressure drops below the methane pressure in the deposits, and methane enters the well bore while the pressure and temperature conditions are above the PhT point.

Under these conditions the MI crystals that are formed can also be carried up by the mud flow or by the other fluid that is circulated in the well. As they rise, the pressure in the well decreases, and the MI crystals dissociate into methane gas and water. The rapid gas expansion ejects the circulating fluid from the well, further reducing the pressure, which leads to more hydrate dissociation and further fluid ejection. This violent expulsion of fluid is referred to as a "kick," which can cause blowouts. Once the mud is blown out and methane escapes, all that is needed is a spark to ignite it.

Blowout protection is provided by keeping the mud pressure inside the drill pipe higher than the pressure of the oil and gas outside in the deposits. This is feasible because we know how to measure the difference between these pressures; we know how to increase the mud pressure if the oil or methane pressure rises; and we know how to close off the well if this pressure exceeds the weight of the mud column and a "kick" is evolving. So why did the BP accident occur?

Manual operation means that the response to unsafe conditions depended on the judgment of the rig supervisor. That's dangerous because it is impossible to guarantee that the judgment and decisions of all rig supervisors will be safe 24/7 and not influenced by financial or schedule pressures.

In this case, the rig supervisor at BP decreased the mud density by injecting sea water into the well when it should have been increased. In addition, BP selected a potentially risky type of well casing design and released heat into the well during the cementing process to speed the setting of the concrete, risking the initiation of a "kick." The explosion occurred right after the heating of the cement seal around the wellhead started, causing the MI crystals to explode and shoot up, damaging a badly designed seal.

If automatic controls were used, this operation would not have been allowed in the first place. Automatic controls also would not have allowed continued drilling when they detected that the BOP was faulty, had not been inspected not tested for two weeks, its readiness had not been validated, and its power supply was defective. It was known for days before the accident that hydraulic oil was leaking at the control pad. The rig's alarm system was disabled and did not sound at all during the accident.

It is true that the phase change of methane hydrate causes a kick is so powerful that the drill pipe itself can be pushed into the BOP, and BP argues that nothing could have prevented this accident because the gas bubble caused such structural and mechanical damage to the safety systems and to the BOP itself that it was not possible to seal the well. Not true!

BP has a history of total ignorance of modern process control (The Thunder Horse accident in 2005 was caused by a check valve installed backwards; the 2005 explosion at its Texas City refinery resulted from not having a backup for a high-level switch; the Alaska pipeline accident in May caused by lack of sufficient monitoring, etc.). This backwardness in process control, combined with the company's arrogance and its being in denial are major contributors to the causes of this latest BP accident.

Controls Needed During Normal Operation

Good controls are always crucial, but when drilling for oil they are even more important because here the emergencies evolve faster than manual control can respond, and the sensors and safety trips operate in a very hostile environment. Therefore, the PID loop and the trips must be fast, the sensors redundant, and the final control elements (BOPs and their actuators) must have total backup.

Figure 1 illustrates the basic controls needed during normal operation, and Figure 2 shows the emergency controls that should have been used. The main goal of the normal operating controls is to keep the pressure inside the well higher than the the pressure outside under all conditions, including when drilling through methane hydrate deposits.

As shown in Figure 1, in a properly designed system strain gauge sensors would have measured the differential pressure (ΔP), and a differential pressure transmitter (ΔPT) would have reported this measurement to a differential pressure recorder-controller (ΔP-RC). If the ΔP started to drop, the controller would have automatically increased the mud pressure (PMUD) by either pressurizing the mud tank (in seconds) and/or by increasing the mud density. BP had no such automatic controls and did not have means to pressurize the mud tank. All the components must be designed for operating in the hostile undersea environment, and be provided with self-diagnostics and full automatic backup. If BP had such a control loop, when the methane pressure started to rise, it would have automatically increased the mud pressure to balance the system, and prevented the evolution of a kick.

Controls Needed During Emergencies

In a properly designed system, if the normal operation controls fail or do not respond fast enough, the ΔP would drop to zero, and the low ΔP switch (ΔPS-L) would have automatically actuated the blinding rams in the BOP to close the annulus. If the blinding rams were also too slow or failed, and the mud pressure dropped further, the low-low ΔP switch (ΔPS-LL) would have automatically actuated the shear ram, completely closing the metal casing by also cutting the drill pipe.

The key error in the BP design was that neither the slide valve nor the shear ram itself had any backup. If correctly designed, the fully automatic operation of the shear ram system would have been as shown in Figure 2. In that system, the trips detect two levels of unsafe conditions. The response to the lower level trips is to actuate the backup shuttle valve and the associated components that operate the ram piston while the higher level trips would have caused the actuation of the backup blind shear ram in the backup BOP.

In this configuration, when the lower level response is initiated, the backup shuttle valve should not use the same energy source (hydraulic) as the failed one. The energy source for operating the backup BOP also should be different from the one used for the main BOP. Therefore, the backup system should be operated by high-pressure nitrogen.

The lower level response is triggered by low oil pressure (PSL) or low oil flow (FSL), which are usually caused by oil leakage and/or by the shuttle valve position detector (IPoS) signaling that the valve did not reach the required position. Naturally, these switches must be designed for operation in a deep-sea environment and be provided with wireless backup.

It is essential to increase both the speed and strength of the final control element (the ram) and its actuator (the piston), so that the ram will close before the kick has time to pass through. This can be achieved by increasing the flow and pressure of the operating fluid and substantially increasing the piston diameter. In case the kick is still faster than the ram, and it carries stone or pipe fragments into the BOP, the actuator must be strong enugh to cut through not only the drill pipe, but also all that material.

This backup blind shear ram did not exist at the BP installation. If it did it, it would have automatically started closing when the primary ram failed to fully close and its wedge locks jammed. BP—after 90 days—finally added a second BOP, which temporarily closed the well, proving that if they had a backup BOP to start with, the accident would not have occurred. The ROV also would have been able to operate the backup shear ram by both hydraulic and mechanical means. It would also have had the strength to close the BOP.

In summary, there were no automatic and wireless BOP controls at all. In addition, the dead-man switch was not wireless, and no backup was provided for the BOP, the shuttle valve or the hydraulic oil system. Lastly, no mud flow velocity and density sensors were provided, so that during normal operation the mud flow and, in case of a blowout, the oil/gas flow could have been continuously and accurately measured.

It should be noted that the oil industry in general opposes the automatic actuation of the shear ram, because spurious trips and the resulting slicing of the drill pipe could result in the loss of the test well. In my view accepting that risk is a small price to pay for protection against the BP-like accidents. In addition, if the operators knew that reducing the mud pressure and heating the cement seal) could automatically cause the actuation of the shear ram, they would think twice before doing it.

Safety Standards and Regulations

It is not clear which existing arm of the government should regulate offshore drilling and what safety standards should guide their design, operation and maintenance. As of today, the applicable Security Integrity Level (SIL) has not even been decided for deep-sea drilling. In a nutshell, the whole industry is basically unregulated, meaning that it is self-regulated, and the level of operational safety varies from corporation to corporation. Let me briefly address each of the above issues.

As to the regulating arm of the government is concerned, it is questionable if the Mineral Management Service (MMS), the U.S. Coast Guard (USCG) or some other agency should be made responsible for regulating this industry. Until now it was the MMS, and it failed in its role. Today the USCG has jurisdiction over ships. It is debatable if oil/gas drilling platforms, which are basically floating facilities, can be considered ships, but it is unquestionable that the selected regulating arm of the government should have experience in marine safety, and USCG does have that. However, it also seems that the experience of the Coast Guard is more in the area of security and less in the area of safety. So, in a way, the assigning this regulation to the Coast Guard is like expecting the police to treat accident victims.

On the topic of applicable standards, the API 14C committee (dominated by oil giants) excluded deep-sea drilling from being covered by any standards. Similarly, the applicability of the internationally adopted IEC 61511 standard has been restricted to be applicable to production (and not drilling) platforms. As to the standards that should be used, my view is that a new one is needed. While some elements of such existing standards as API 14C 7th ed., IEC 61511, ISA TR84.00.07, IEC 61508, ISO10418:2003, etc. are applicable, none of them cover all the needs of this new industry fully.

As to the required Security Integrity Level (SIL) that should apply to deep sea drilling, I favor SIL 3. This level is next to the most demanding level of relative risk reduction, having a risk reduction factor (RRF) of 1000 to 10,000, according to IEC 61508. It should be noted that MMS mandated the applicability of SIL 3, but only for the high- pressure section of the production riser. Yet, if this rule was followed (in case of the BP rig the BOP is in the high-pressure section, but not involved in oil production), the HIPPS (High-Integrity Pressure Protection System) would have prevented over-pressurization by not allowing the pressure in the downstream piping to exceed its design pressure. If this mandate had been implemented in the BP installation, the accident would have been avoided.

Another safety concern, which is seldom considered, is cybersecurity. If instrument and control systems (ICS) are not totally isolated from information technology (IT) systems, this can cause hazards (to all industries, not just oil drilling). If there is a hole in the security wall between IT and ICS, the critical operating controls and safety systems can be accessed, disabled or revised through the Internet by hostile parties or by accidental causes. The Hatch Nuclear Plant cyber incident demonstrates this, and we better learn that while the ICSs look like IT systems, they are not and need to be addressed accordingly.

Cyber vulnerabilities can arise from simple practices, such as allowing workers to access smart grid control system devices using a Bluetooth connection, all the way to cyber terrorism. The present state of affairs is dangerous because IT serves corporate convenience, and the users of direct data gathering are ignorant of the potential consequences. This can cause grievous harm to control systems. Yet, when it comes to the development of cybersecurity standards and regulations, it is done almost completely by IT people and not by the process control people. Consequently the drafts produced meet only the needs of the IT community.

We must realize that standards and regulations alone can not instill a culture of safety. To instill and to develop such a culture, corporations should stop judging and rewarding their engineers on the basis of cutting corners and reducing costs and should start evaluating their performance on the basis of quality, efficiency and safety. But corporations will not do that unless it is in their interest to do so.

Therefore, the safety record of corporations should be widely distributed, allowing the average citizen to take that into account when making a purchasing decision. Similarly, not only the corporations should be penalized for their safety offenses, but also their officers as individuals.

In case of the BP accident, the BOP's reliability and availability numbers did not meet even minimum risk level standards! This could occur only because there were neither regulations nor enforcement and because economics was considered to be more important than safety or preparedness for handling accidents. Future regulations must include accident mitigation response including the use of oil skimmers, booms, controlled burning, health and welfare monitoring of workers, human resource pools, ecology monitoring, coast line protection, etc. In the future, such regulations must also state that all foreign companies violating the standards will be fined and banished from U.S. waters.

It is also important to realize that criminal penalties and economic liabilities alone will not instill a culture of safety; positive incentives are also needed! In the case of drilling for oil, for example, the corporations with good safety records should be rewarded by paying less in royalties for their off-shore leases and should receive their permits faster than the ones with bad safety records. These steps would reduce the presently prevailing conflict between safety on the one hand and cost and schedule on the other.

The Moral

What should we learn from this accident? One of the important lesson is that accidents can be very expensive, and the protection against them should override any other consideration. A consequence of this recognition is that the role of process control engineers should be increased. This is because while the specialists of mechanical, electrical, civil, chemical or computer engineering are all doing a good job within their fields, none of them are qualified to look at the overall process. Only process control engineers have the overall understanding to design systems that will guarantee total safety, but we are far from this being universally understood.

(When I was teaching process control at Yale University, I did that within the chemical engineering department. My books on process control are being published within the electrical engineering department. This is not because these institutions have anything against our profession! It is because they don't even know that it exists!)

Full automation is required not only because human judgment is a function of the qualification of the person making the decisions, but also because that judgment can be influenced by cost and schedule considerations or can be too slow to arrest a quickly evolving unsafe condition.

Another lesson we should learn is the need for process-specific regulations so that drilling for oil could not take place without automatic safety equipment, backup and redundancy. This is essential because if each platform is individually designed and is operated by cost and schedule-oriented "objective management," these accidents will continue to occur. On the other hand, if the world's best talent, - and not the views of the lobbyists and politicians in Washington, where there are nearly 500 oil industry lobbyists - is used to come up with an international reference standard, safety will be improved. Finally and most important, society as a whole must accept that safety costs money, and that cost has to be paid for by the user through increasing the cost of gasoline.

Naturally, we should also realize that this cost of "scraping the bottom of the barrel" for traditional energy sources could be better spent by investing it in the conversion to free, safe and inexhaustible energy sources (such as solar hydrogen). This is true not only because sooner or later this conversion has to be done anyway, but also because (while offshore drilling today provides thousands of jobs) the conversion will create millions, and if renewable energy plants are moved into the areas devastated by oil spills, the people there will have jobs and our grandchildren will have no reason to ask: "Why did you not act in time?"

If Anything like BP's Oil Spill or the Financial Crisis Had Happened on a Smaller Scale and In a Smaller
Community, the Cops Would Have Been Called, and the Perps Would Have Been Horsewhipped and Thrown in Jail

A new multi-phase flowmeter from Agar is unique in that it delivers the goods. The flow measurement system provides gauging of oil, water and gas flows simultaneously without completeley separting the phases.